{"id":"ASB-A-277207798","details":"In onCreate of ChooserActivity.java , there is a possible way to view other users' images due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-277207798","CVE-2025-22416"],"modified":"2026-05-18T15:08:09.253695Z","published":"2025-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/82aa8527b7da3dbbc2f19c869b4ded106e140452"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-04-01"}]}],"versions":["15-next"],"ecosystem_specific":{"spl":"2025-04-01","severity":"High","types":["EoP"],"vanir_signatures":[{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/bad47a2280c7107e1213f4adc5a3825a62698d00","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java"},"digest":{"line_hashes":["253726217667786760008791040528132999656","228422336533060252731829592399006004338","335424932981330831523731482027422461698","45605471419092542802268726131796893831","231196650600773283353027740648307444990","13750646095156668772480085108097034858","46688699789534617252032762653797350857","76484926273318022941110547313781106396","319801971747590014370831222802487791519","225167580596828937992821877251436851634","130607908879052246674719283887525476671","153132771818589155319113541875463098830","99776271114638537866965957305766270641","205008932327429738391762413441071538873","290436820296095206163711891884675157053","107881527603548020291656350860705051943","76647954778615471049259555882753692194","80810554446883258785855333051732088581","338282417515360549291114073952096767125","194786844876987425545005515131039931828","260328569219012495242470606039928699047","13631907288037037077954071872415923239","75662308371422950237069767970774920254"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-277207798-7bfb99a2"},{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/bad47a2280c7107e1213f4adc5a3825a62698d00","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java","function":"onCreate"},"digest":{"length":6244,"function_hash":"336671546719732193332363639853093470883"},"signature_type":"Function","id":"ASB-A-277207798-d9229806"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/bad47a2280c7107e1213f4adc5a3825a62698d00"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-277207798.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-04-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-04-01","severity":"High","types":["EoP"],"vanir_signatures":[{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c108d3866a3e6b1d7780325d862f20450a36d573","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java"},"digest":{"line_hashes":["253726217667786760008791040528132999656","228422336533060252731829592399006004338","335424932981330831523731482027422461698","45605471419092542802268726131796893831","231196650600773283353027740648307444990","13750646095156668772480085108097034858","46688699789534617252032762653797350857","76484926273318022941110547313781106396","319801971747590014370831222802487791519","225167580596828937992821877251436851634","130607908879052246674719283887525476671","153132771818589155319113541875463098830","99776271114638537866965957305766270641","205008932327429738391762413441071538873","290436820296095206163711891884675157053","107881527603548020291656350860705051943","76647954778615471049259555882753692194","80810554446883258785855333051732088581","338282417515360549291114073952096767125","194786844876987425545005515131039931828","260328569219012495242470606039928699047","13631907288037037077954071872415923239","75662308371422950237069767970774920254"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-277207798-8a716ff5"},{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c108d3866a3e6b1d7780325d862f20450a36d573","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java","function":"onCreate"},"digest":{"length":6002,"function_hash":"258799873586369524372392063352180921580"},"signature_type":"Function","id":"ASB-A-277207798-a30cbc47"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c108d3866a3e6b1d7780325d862f20450a36d573"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-277207798.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-04-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2025-04-01","severity":"High","types":["EoP"],"vanir_signatures":[{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/e73bb60fed12daa78ddad8308b31b0c78f1c3c66","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java"},"digest":{"line_hashes":["41390077426975099314374087252517731925","45681176917284083586723022694067938350","333957807868229023926107419401633699128","102431590296808685158151479537038954109","26172496286527130508864160995380617790","319801971747590014370831222802487791519","225167580596828937992821877251436851634","130607908879052246674719283887525476671","153132771818589155319113541875463098830","99776271114638537866965957305766270641","205008932327429738391762413441071538873","290436820296095206163711891884675157053","107881527603548020291656350860705051943","76647954778615471049259555882753692194","80810554446883258785855333051732088581","338282417515360549291114073952096767125","194786844876987425545005515131039931828","260328569219012495242470606039928699047","13631907288037037077954071872415923239","75662308371422950237069767970774920254"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-277207798-474c274f"},{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/e73bb60fed12daa78ddad8308b31b0c78f1c3c66","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java","function":"onCreate"},"digest":{"length":6212,"function_hash":"175854063412095478767692237294382957975"},"signature_type":"Function","id":"ASB-A-277207798-ee415272"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e73bb60fed12daa78ddad8308b31b0c78f1c3c66"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-277207798.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-04-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2025-04-01","severity":"High","types":["EoP"],"vanir_signatures":[{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/bad47a2280c7107e1213f4adc5a3825a62698d00","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java"},"digest":{"line_hashes":["253726217667786760008791040528132999656","228422336533060252731829592399006004338","335424932981330831523731482027422461698","45605471419092542802268726131796893831","231196650600773283353027740648307444990","13750646095156668772480085108097034858","46688699789534617252032762653797350857","76484926273318022941110547313781106396","319801971747590014370831222802487791519","225167580596828937992821877251436851634","130607908879052246674719283887525476671","153132771818589155319113541875463098830","99776271114638537866965957305766270641","205008932327429738391762413441071538873","290436820296095206163711891884675157053","107881527603548020291656350860705051943","76647954778615471049259555882753692194","80810554446883258785855333051732088581","338282417515360549291114073952096767125","194786844876987425545005515131039931828","260328569219012495242470606039928699047","13631907288037037077954071872415923239","75662308371422950237069767970774920254"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-277207798-1a5b2f62"},{"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/bad47a2280c7107e1213f4adc5a3825a62698d00","target":{"file":"core/java/com/android/internal/app/ChooserActivity.java","function":"onCreate"},"digest":{"length":6244,"function_hash":"336671546719732193332363639853093470883"},"signature_type":"Function","id":"ASB-A-277207798-a54d35e8"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/bad47a2280c7107e1213f4adc5a3825a62698d00"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-277207798.json"}}],"schema_version":"1.7.5"}